Wednesday, 27 November 2019
Questions without Notice
My Health Record
My question is to Minister Cash, representing the Minister for Health. I refer the minister to Monday's ANAO report into My Health Record. This report stated that shared cybersecurity and privacy risks were not properly managed by the Digital Health Agency and had to be improved. It further stated that the last privacy risk assessment was undertaken in 2017, despite the Digital Health Agency providing funding to the Australian Information Commissioner to conduct at least four privacy reviews between October 2017 and June this year. Minister, why were these Digital Health Agency pre-funded risk assessments not undertaken?
I thank Senator Griff for the question and for providing me with some prior notice. Senator Griff, I have been able to obtain the following information from the minister. The Morrison government welcomes the Australian National Audit Office's reporting, noting its conclusion that the implementation of the My Health Record opt-out was largely effective. The public should be reassured by the ANAO's findings that the government's implementation, planning, governance and communication were appropriate and the objectives were clearly specified in the legislation and translated into operational objectives and plans. Responding to the recommendations is a high priority for the government. The Australian Digital Health Agency will lead implementation of the five recommendations, which are to be actioned within 12 months of tabling, in consultation with the Department of Health, the Office of the Australian Information Commissioner, the medical software industry, clinical peaks, health care provider associations, professional indemnity insurers, and state and territory governments. In relation to the OAIC, it is an independent national regulator for privacy. I am advised further questions about their work should be directed to the OAIC. I'm also advised the OAIC have advised in the annual report of their activities in relation to digital health that the four assessments on foot will be finalised in 2019-20.
The ANAO report was also critical of the Digital Health Agency's board and the fact that it is yet to consider its updated cybersecurity strategy, even though it was finalised by the agency's executive a year ago. Minister, do you consider this delay represents good governance?
The ANAO found ADHA's management of privacy risks were largely appropriate, and ADHA conducted privacy impact assessments up until 2017 and implemented system and consumer-access controls. Senator Griff will also be aware that the ANAO report makes five recommendations, and, in relation to those recommendations, I am advised that the ADHA has accepted all of the recommendations, including that the ADHA conduct an end-to-end privacy risk assessment of the operation of the My Health record system under the opt-out model, including shared risk and mitigation controls, and incorporate the results of this assessment into the—
In October estimates, the CEO of the Digital Health Agency stated the agency has 'a series of very advanced cybersecurity protections'. He further stated, 'there is absolutely no complacency', regarding cybersecurity in the agency. Minister, is it or is it not complacency when critical and paid-for risk assessments are not conducted, and cybersecurity strategies are allowed to gather dust for well over a year?
I am advised that there has been no security breach in the seven years that the My Health Record system has been in operation. My Health record system security protects records from unauthorised access and guards against cyberattacks. The controls include secure gateways and firewalls, encryption, authentication mechanisms and malicious content filtering. The system is monitored around the clock by the agency's dedicated Digital Health Cyber Security Centre, which has been tested by the Australian Signals Directorate. The My Health system has been certified and accredited at the 'protected' level under the Australian government information security standards. The system is independently tested frequently to ensure the security settings are robust and working as designed. The Digital Health Agency will continue to work with the industry to ensure everyone across the health sector—